geekandpirate

Welcome to my blog. GeekAndPirate is all about the web programming tricks,tools and techniques that I will be sharing with you. I will be also sharing all the tricks and techniques of hacking stuff(yeah that's true!!) I would be also interested in talking about the latest developments about the world of the WEB. So stick with me!

Tag Archives: Security

Cross Site Request Forgery

I have many people from various domain in my friend circle like doctors, architects, businessmen etc. Many of them rely heavily on the internet. Naturally, they are not much aware of the potential threats on the  internet. Like them, many people don’t take basic precautions like, logging out after you finish, using latest and more secured browsers, etc. Sometimes, you have to face the consequences for this lack of knowledge. Sometimes, it is not the user’s fault at all, but the developers of the website make the site vulnerable by not following good programming practice and not implementing adequate security measures, and their users has to pay for this.

At one weekend when I was hanging out with my friends, one of them told me about the incident which took place while he was performing some online transactions. He said that while he was online and was doing some transactions with his bank account, someone got unauthorized access of his account and transferred the money from his account. Luckily for him, the amount was not much, but he is now reluctant to make any online transaction.

I decided to hunt down this incident. There was no question of him giving his account details knowingly or unknowingly as he said that he doesn’t kept the password anywhere but in his brain (:)) Neither did he got phished  by clicking on any unknown link which displays the site similar to the bank’s site. I asked about him what else you were browsing while you were doing those online transactions. He said that he was exploring various demand and supply forums where you make a wish for any particular video/music/software which gets fulfilled by other members of that forum.

I decided to take a look at those sites and I quickly realized that those forums by not only occupied by music and video lovers, but also by many crackers. I specially had a look at the threads visited by my friend, and I found  what I was suspecting. My friend was a victim of what is called as ‘Cross Site Request Forgery’ aka (CSRF OR XSRF).

CSRF is an attack which is initiated by some user against a website. A web site in this case ‘trust’ the user which is exploited by passing some unauthorized commands while in another type of attack Cross site scripting (XSS), a user trust the site. In CSRF attacks, unauthorized users exploits the site vulnerability to get access to authorized user’s data, by passing out some commands. In this case, the authorized user is already ‘authenticated’ by the site, and it may have stored authentication info in some session cookie. Unauthorized user use this cookie to fire some unauthorized commands. Let’s see what may have happened in my friend’s case.

I viewed the html code of the forum visited by my friend, I saw in one reply, posted by some Mr. XX one html iframe tag as <iframe src=”http://xyz.com/transfer.php&#8221; width=’1′ height=’1′>

I was able to track transfer.php, and saw following code

<form name=’frm1′ action=’https://bankdomain.com/transfer&#8217; method=’post’>
<input type=’hidden’ name=’toname’ value=’andh12′>
<input type=’hidden’ name=’amt’ value=’100′>
</form>

<script>
document.frm1.submit();
</script>

So this was it! Lets see step by step what Mr.xx is upto here. First, he loaded an iframe with html iframe tag which is a page on his domain. On that page, he have used a form with hidden elements with exactly the same name as in the bank’s amount transfer form (like toname and amt). Next, he is submitting the form in javascript with action as transfer page on bank’s domain. Now since my friend was logged into his bank account, that site was keeping his authentication information in a cookie. Now since that cookie was not expired, the browser sent the cookie along with the post data to the action url. Bank treated it as legitimate requests since it has not implemented proper security to tackle this kind of intrusion. So Mr. xx got unauthorized access of user authentication cookie and hence was able to fire unauthorized commands. Imported thing here is to note that my friend’s browser had no way to know whether request it is making on behalf on my friend is legitimate or not. This attack is also called as ‘Confused deputy attack’ where browser acted as deputy.

CSRF attacks has following characteristics

– They are made against an authenticated users exploiting site’s trust on that user
– It tricks the web browser of a user and force them to send unauthorized HTTP request
– User and browser both are tricked by in proper implementation of security measures by web application which involves authentication and authorization of user

Prevention –

Normal user can do very little to prevent this kind of attacks. All they can do is to avoid visiting such malicious websites, forums, and avoiding clicking on links in spam mails. Web applications are more responsible to prevent such type of attacks which can be achieved by-

– Checking the HTTP referrer header. Web app can check whether the referrer is the one it should be.
– Limiting lifetime of authentication cookies.
– Generating a user specific secret token, which the client(browser) needs to be sent with each HTTP request.
– By logging user out automatically if inactive for specific time

There are certain conditions though which must be fulfilled by the attacker in order to carry out this attack

– The attacker must force the victim to a webpage containing the malicious code while the victim is logged in.
– Attacker must identify the form submission url, and pass the exact values to those forms.
– If the site is checking for the HTTP referrer, then attacker must spoof the http referrer header.

So moral of the story is that, as a normal user you should be careful while surfing on the internet. If you are accessing some sensitive sites like bank, use a septate browser for it, and use another browser for rest of the sites. Always log off when you are done. While, if you are a web developer, you should implement the security mechanisms to counter these attacks.

Advertisements